Description
In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in MmsSmsProvider.java where a missing permission check allows an application to read sensitive information from the MMS/SMS provider. This enables local disclosure of private data without requiring elevated privileges or additional user interaction. The weakness is represented by CWE-862, reflecting an authorization failure that can lead directly to information leakage.

Affected Systems

The vulnerability affects Android operating system installations that include the MmsSmsProvider component. All devices running affected builds of Android are potentially impacted; the reference provided points to the Android 17 security bulletin.

Risk and Exploitability

The CVSS score of 10 indicates the highest severity for this local privilege issue. The EPSS score of less than 1% shows a very low probability of current exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: any application running on the device can exploit the missing permission check without user interaction, highlighting the need for prompt patching of the Android platform.

Generated by OpenCVE AI on June 17, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android firmware update that includes the MmsSmsProvider patch.
  • Install the official security patch provided by Google for affected Android builds.
  • Configure device security settings to restrict apps from accessing SMS/MMS data unless explicitly granted the necessary permissions.

Generated by OpenCVE AI on June 17, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T10:40:46.047Z

Reserved: 2026-03-02T19:11:00.351Z

Link: CVE-2026-28587

cve-icon Vulnrichment

Updated: 2026-06-17T10:40:37.790Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T08:30:04Z

Weaknesses